RE: Locking the SYS account.

My point was if that we were allowed to lock the sys account and it was
truly locked - ie we were not allowed to connect to it like other
accounts when they were locked - it would be a bad thing.

As it is now, Oracle allowing the account to be locked and then ignored
when we connect "as sysdba" to me is a contradiction in terms. Why even
report that the account is "locked"? We can't connect to sys unless we
connect "as sysdba" anyway.

To me, locked is locked. Can't connect to it.

So Denham's quest to lock the sys account for auditors purposes (I
forget why he really needed to do it) is a fools errand. A DBA (or
someone in the DBA group) can always connect to the database.

A better solution would be to audit all connections to track who is
connecting.

Perhaps this is a difference between UNIX and Windows? I am on HP-UX
and there is no problem with locking and expiring SYS. I can still do a
sqlplus /nolog and connect / as sysdba.......no problems. I assume you
are on Windows and therefore locking and expiring SYS creates a problem
for you?

It would be bad if it was truly locked and we were not able to connect
to do things like shut it down. Or recover it from a crash. Or any of
the other dozen things you can only do while connected as SYS.

For good reason I think. Being able to lock the SYS account would be a
very bad thing.

This transmission may contain confidential, proprietary, or privileged
information which is intended solely for use by the individual or entity
to whom it is addressed. If you are not the intended recipient, you are
hereby notified that any disclosure, dissemination, copying or
distribution of this transmission or its attachments is strictly
prohibited. In addition, unauthorized access to this transmission may
violate federal or State law, including the Electronic Communications
Privacy Act of 1985. If you have received this transmission in error,
please notify the sender immediately by return e-mail and delete the
transmission and its attachments.

If one does the RTFM thing one will find that SYS is immune to any and
all restrictions by default. Therefore things like restricting idle
time via a profile don't work, nor does locking the account or expiring
the password. Granted it's buried & not easy to find, but it's been
that way for a very LONG time.